Thanks for your help Arjan, the 0/0 finally worked :) I was testing the connection from one of the other servers in the buildings, and the server had a real IP address not 172.27.40.0/23 still like, so ipnat was NATing for it too. But after I added "map xl0 from 172.27.0.0/23 to y.y.y.y/32 -> 0/0", it worked.
All the best, veedee. On Tue, 4 Dec 2001 21:18:08 +0100, Arjan de Vet wrote: >In article <[EMAIL PROTECTED]> you write: >># allow everything to the another building >>add allow ip from any to 172.27.40.0/23 >>add divert natd ip from any to any via xl0 >>add allow ip from any to any >I'm not familiar with natd but I guess this means that traffic towards >172.27.40.0/23 should not be NATted but the rest should. >>my internal network is 172.27.0.0/23 and the network in the other building is >>172.27.40.0/23. Their configuration is correct as they are able to >>masquerade with another building succesfully. Now, what we were doing is >>allow our workstations to use their services one with another. So a station >>from the other building (let's say 172.27.40.133) was able to ftp, telnet, >>ssh to a station in my building (for instance 172.27.1.5). So what was sent >>to the other building was sent "un-masqueraded" (the divert rule came after allow). >Also >>we had to add a route like: >>"route add -net 172.27.40.0 otherbuilding 255.255.254.0". >>-- ipnat.rules -- >>map xl0 172.27.0.0/23 -> x.x.x.x/32 proxy port ftp ftp/tcp >>map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 >Try something like this: >map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 >0/0 is a special directive to indicate that no NAT-ing should take place >(0/32 is shorthand for the current IP address of the xl0 interface, >useful if that address is obtained via DHCP). >The first two rules say that traffic from 172.27.0.0/23 towards >172.27.40.0/23 should not be natted (but the kernel ftp proxy is still >used in this case). The rest will be NAT-ed to x.x.x.x. > >..... > >Arjan > >-- >Arjan de Vet, Eindhoven, The Netherlands <[EMAIL PROTECTED]> >URL : http://www.iae.nl/users/devet/ <[EMAIL PROTECTED]> >Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
